OBA2: An Onion approach to Binary code Authorship Attribution

Alrabaee, Saed; Saleem, Noman; Preda, Stere; Wang, Lingyu; Debbabi, Mourad

doi:10.1016/j.diin.2014.03.012

Cited by 64 publications

(45 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Counting the number of compare instructions, Checking the registers for each compare instruction, Checking the flow of each register from the beginning until the compare is reached, Classifying the register changes according to the 15 proposed classes in Alrabaee et al (2014).…”

Section: Register Flow Graphmentioning

confidence: 99%

“…A Register Flow Graph (RFG) is used to capture how registers are manipulated by binary code, which is originally designed for authorship identification of binary code (Alrabaee et al, 2014). RFGs describe the flow and dependencies between registers as an important semantic aspect of the behavior of a program, which might indicate authorship as well as functionality.…”

Section: Register Flow Graphmentioning

confidence: 99%

See 1 more Smart Citation

SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code

Alrabaee

Shirani

Wang

et al. 2015

Digital Investigation

Self Cite

View full text Add to dashboard Cite

a b s t r a c tThe capability of efficiently recognizing reused functions for binary code is critical to many digital forensics tasks, especially considering the fact that many modern malware typically contain a significant amount of functions borrowed from open source software packages. Such a capability will not only improve the efficiency of reverse engineering, but also reduce the odds of common libraries leading to false correlations between unrelated code bases. In this paper, we propose SIGMA, a technique for identifying reused functions in binary code by matching traces of a novel representation of binary code, namely, the Semantic Integrated Graph (SIG). The SIG s enhance and merge several existing concepts from classic program analysis, including control flow graph, register flow graph, and function call graph into a joint data structure. Such a comprehensive representation allows us to capture different semantic descriptors of common functionalities in a unified manner as graph traces, which can be extracted from binaries and matched to identify reused functions, actions, or open source software packages. Experimental results show that our approach yields promising results. Furthermore, we demonstrate the effectiveness of our approach through a case study using two malware known to share common functionalities, namely, Zeus and Citadel.

show abstract

Section: Register Flow Graphmentioning

confidence: 99%

Section: Register Flow Graphmentioning

confidence: 99%

SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code

Alrabaee

Shirani

Wang

et al. 2015

Digital Investigation

Self Cite

View full text Add to dashboard Cite

show abstract

“…Machine learning techniques are then applied to rank these features based on their relative correlations with authorship. A subsequent approach to automatically identify the authorship of software binaries is proposed by Alrabaee et al [13]. The main concept employed by this method is to extract a sequence of instructions with specific semantics and to construct a graph based on register manipulation, where a machine learning algorithm is applied afterwards.…”

Section: Binary Code Authorship Attributionmentioning

confidence: 99%

“…Register Flow Graph: This graph captures the flow and dependencies between the registers that annotated to cmp instruction [13]. Such graph can capture an important semantic aspects about the behavior of a program, which might indicate the authors skills or habits.…”

Section: Features Of Binary Filesmentioning

confidence: 99%

On the Feasibility of Malware Authorship Attribution

Alrabaee¹,

Shirani²,

Debbabi³

et al. 2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.Comment: FPS 201

show abstract

“…Attributing authorship of source codes with unknown authors has been studied extensively for several decades but less so for binaries. In some prominent studies such as [14], [2], authors have utilized machine learning techniques to correlate syntax-based features with authorship to identify the author of program binaries. In [3], authors have analyzed the effects of compiler optimization (in three levels), removing symbol information and applying basic binary obfuscation methods (such as instruction replacement and control flow graph obfuscation) on several features mainly obtained from disassembling and decompiling the executable binaries (e.g.…”

Section: Other Methods Of Protecting Binariesmentioning

confidence: 99%

An attempt toward Authorship Analysis of Obfuscated .NET Binaries

Morovati¹

2017

IJCSDF

View full text Add to dashboard Cite

This research is an attempt toward facilitating the authorship attribution of an unknown .NET executable by identifying obfuscation resistant features of .NET binaries. The primary goal of this study is to examine the effectiveness of obfuscation techniques for hiding the author's programming style. In this research, I have tested features such as op-code frequencies, op-code n-grams, API function calls and some features obtained from program Control Flow Graph.

show abstract

OBA2: An Onion approach to Binary code Authorship Attribution

Cited by 64 publications

References 2 publications

SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code

SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code

On the Feasibility of Malware Authorship Attribution

An attempt toward Authorship Analysis of Obfuscated .NET Binaries

Contact Info

Product

Resources

About